Original reporting and feature articles on the latest privacy developments

The All-New IAPP Mobile App Privacy Tool

Only six years after the first app store opened, the mobile app ecosystem has become a multi-billion dollar industry. Need to find a coupon, catch a cab, quit your job, see in the dark, find a date, lose weight, compose a song, read a book, monitor your heart rate, turn a channel, or, at this time of year, just buy some Girl Scout cookies? Well, there’s an app for that, as the slogan goes.

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. For example, the FTC has recently settled an enforcement action against the popular Brightest Flashlight app, while Canadian and Dutch privacy regulators concluded a joint crackdown against the ubiquitous messaging service WhatsApp. To help industry players “do the right thing,” several regulators and industry groups have released best practices or guidance papers for participants in the mobile ecosystem. Alas, you may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data.

Navigating Mobile Privacy Compliance

This week, the IAPP Westin Research Center launches a new tool to help you comply with the standards and obligations imposed by leading regulators and trade associations in both the U.S. and Europe. We realize that employing expensive consultants and law firms may not be an option for you right out of the gate. So, now you can get a head start on creating a privacy policy, providing transparency and choice, negotiating with vendors and building an app with “privacy by design.”

The IAPP’s Mobile App Privacy Tool will help you navigate through seven important guidance documents, whether you are an app developer, platform designer, operating system provider, device manufacturer, ad network or any other interested party. To simplify the various guidance documents, the tool divides the requirements in each document into nine distinct topic tabs to help you hone in on what is most relevant for your mobile work. The nine categories include data collection, data retention, notice and transparency, choice and consent, accountability and oversight, specific privacy controls, security and children’s privacy, as well as a miscellaneous category that functions as a guide-specific catch-all. In addition, each guidance note and category is divided into tabs to help distinguish between obligations imposed on different players in the ecosystem, such as app developers, platform designers or ad networks. (Not all guidance documents address each and every party).

Hence, you can “slice and dice” the guidance notes as needed, checking, for example, what notice requirements are for various players across several documents; what app developers are obligated to do in California, or what European regulators have to say about data retention limits.

The Guides

In using the Mobile App Privacy Tool, you will access the most recent, mobile app-specific guidance from seven leading regulators and industry groups. Hence, the tool reflects industry best practices, privacy advocates’ input, as well as non-binding recommendations from both U.S. and European regulators. The seven guides covered by the tool are:

The California Attorney General’s Privacy Office sets one of the highest standards for privacy and data protection, recommending a “surprise minimization” approach to app building. This means “supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” The guide addresses all apps originating in or targeting California users, but can also be implemented by industry players in other parts of the world.

European data processing restrictions typically set a high standard for data protection for all players in the mobile sphere, and this guidance addresses any app developer, distributor, or mobile device data recipient operating in the EU. The opinion of the Article 29 Working Party, comprising privacy regulators from all 28 EU Member States, focuses on “the consent requirement, the principles of purpose limitation and data minimization, the need to take adequate security measures, the obligation to correctly inform end users, their rights, reasonable retention periods and specifically, fair processing of data collected from and about children.”

In this staff report, the primary federal privacy regulator in the U.S. offers “several suggestions for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures.” Recentsettlements demonstrate the FTC’s focus on mobile apps and its readiness to bring enforcement actions against them. While this report is non-binding, “the FTC will view adherence to [strong mobile codes of conduct] favorably in connection with its law enforcement work.”

The Center for Democracy and Technology, an advocacy group, and the Future of Privacy Forum, a privacy think tank, worked jointly to release this “primer for developers who are interested in preserving their customers’ privacy but who aren’t necessarily privacy experts themselves.” The guide addresses app developers specifically and provides policy recommendations to foster privacy by design, better inform and empower end-users, and bolster consumer trust.

The GSM Association (GSMA), which represents mobile operators worldwide, “unites nearly 800 mobile operators with 250 companies in the broader mobile ecosystem.” Its mobile privacy principles apply to all parties in the app service and delivery chain, and seek to engender user trust and implement privacy by design. In focusing on the principles of transparency, choice and control, the GSMA provides policy guidelines, implementation recommendations and specific use cases and examples.

The Network Advertising Initiative (NAI) Code governs only NAI member companies and its guidance is specific to mobile advertising activities. The Code is intended to complement other mobile and industry initiatives, including those from the Digital Advertising Alliance (DAA), the Mobile Marketing Association (MMA) and the National Telecommunications and Information Administration (NTIA), as well as the NAI’s desktop Code of Conduct. The Mobile Code emphasizes high-level principles of notice, choice and transparency to set a high but flexible industry standard for mobile advertising.

The NTIA’s voluntary code of conduct, created as part of the White House’s privacy strategy, incorporates guidance from multiple privacy stakeholders to describe how and when an app might use a short form notice about its collection and sharing of consumer information with third parties. The code primarily targets app developers, and does not apply to software that consumers do not directly interact with, inherent functions of a device, or apps that are solely provided or sold to enterprises for use within those businesses.

Conclusion

In the rapidly evolving world of app development and mobile privacy, it can be difficult to navigate the maze of regulatory requirements, industry standards and best practice recommendations. Each of the guides distilled into the Mobile App Privacy Tool emphasizes a slightly different approach to implementing commonly accepted principles in order to find the right balance between consumer privacy and mobile app entrepreneurialism. While businesses are urged to at least meet industry standards, they should pay careful attention to implementation of stricter recommendations issued by regulators to minimize the risks of a privacy violations and ensuing enforcement actions.

While these codes and guidance documents are voluntary and non-binding, they serve as a good indication for businesses of potential regulatory enforcement. Remember that if your app touches the types of information covered by specific laws or regulations (such as children’s information, credit reports, healthinformation, or commercial communications) you will also have to comply with those laws. As ever, it is crucial to make sure that you live up to the letter and spirit of any promise you make to users about privacy and data security, to avoid liability under Section 5 of the FTC Act or potentially bruising class action litigation. Accordingly, it is important to notify users if and when you change how their information is used or collected. Last but not least, remember that your apps must also comply with the terms and conditions of any platform or app store through which they are offered, including the Apple Store, Google Play and the Facebook Platform.

We look forward to receiving your comments and input on operationalizing the Mobile App Privacy Tool through the Privacy List or via email: kfinch@privacyassociation.org.

Written By

0 Comments

Related

The White House released what it’s calling a “discussion draft” of its Consumer Privacy Bill of Rights (CPBR) late Friday. The bill aims to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.” We round up the various reactions.
Read more

President Obama’s recent proposal of a National Data Breach Notification Standard (or The Personal Data Notification & Protection Act) has received widespread attention for its promise to preempt and unify the existing patchwork of state-level requirements. IAPP Westin Research Fellow Patricia Bailin analyzes the proposed bill and how it would impact state, city and territorial laws.
Read more

On Wednesday, the Digital Advertising Alliance announced an extension of its AdChoices program beyond the desktop. AppChoices, an app consumers can download (with an attendant web page), allows consumers to manage ad preferences one step further, offering the ability to opt out of targeted ads served through apps on mobile devices.
For example, consumers can choose not to allow advertisers to target them based on their location.
Now, why would a company like xAd, whose very business model invo...
Read more

First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007. This month, the UK Information Commissioner's Office (ICO) officially recognized the multinational payment solutions company's BCRs for data processors. Now able to boast it's been approved for both processors and controllers, it's also the first company to have done so under the purview of the ICO.
Read more

In the first of a three-part series on the people, process and technology impacts of Europe’s forthcoming General Data Protection Regulation, Steve Kenny looks at people and a rationale for evolving risk management philosophy.
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.